jbvc/backend-security-coder
Expert in secure backend coding practices specializing in input validation, authentication, and API security. Use PROACTIVELY for backend security implementations or security code reviews.
49
49%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description provides a reasonable overview of the skill's domain and includes an explicit 'Use when' clause, which is a strength. However, the capabilities listed are more like high-level categories than concrete actions, and the trigger terms miss many natural phrases users would employ when seeking security help. The description would benefit from more specific actions and richer keyword coverage.
Suggestions
Add more specific concrete actions, e.g., 'sanitize user inputs against SQL injection and XSS, implement JWT/OAuth authentication flows, configure rate limiting and CORS policies'.
Expand trigger terms to include natural user phrases like 'SQL injection', 'XSS', 'CSRF protection', 'password hashing', 'token validation', 'vulnerability', 'secure endpoint', 'OWASP'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (backend security) and some actions (input validation, authentication, API security, security code reviews), but these are more like categories than concrete actions. It doesn't list specific tasks like 'sanitize SQL queries, implement JWT token validation, configure CORS headers'. | 2 / 3 |
Completeness | Clearly answers both what ('secure backend coding practices specializing in input validation, authentication, and API security') and when ('Use PROACTIVELY for backend security implementations or security code reviews'), with explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes some relevant keywords like 'input validation', 'authentication', 'API security', and 'security code reviews', but misses many natural user terms like 'SQL injection', 'XSS', 'CSRF', 'OAuth', 'password hashing', 'encryption', 'vulnerability', or 'secure endpoint'. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on 'backend security' provides some distinctiveness, but terms like 'authentication' and 'API security' could overlap with general backend development skills, API design skills, or authentication-specific skills. The scope is broad enough to potentially conflict with adjacent skills. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads as a role description or persona prompt rather than an actionable skill. It exhaustively catalogs security topics Claude already knows well, without providing any concrete code examples, specific implementation patterns, or executable guidance. The content would be far more effective if it were reduced to ~20% of its current size and replaced the taxonomic lists with specific, copy-paste-ready code patterns for the most critical security implementations.
Suggestions
Replace the abstract capability lists with concrete, executable code examples for the most critical patterns (e.g., parameterized queries, JWT validation, CSP header configuration, input validation middleware).
Remove the 'Knowledge Base', 'Behavioral Traits', and 'Capabilities' taxonomy sections entirely — Claude already knows these concepts. Focus only on project-specific conventions or non-obvious implementation details.
Add explicit validation/verification workflows, e.g., 'After implementing auth, verify by: 1. Run `npm test -- --grep security` 2. Check that invalid tokens return 401 3. Verify refresh token rotation invalidates old tokens'.
Move detailed reference material into the referenced 'resources/implementation-playbook.md' and keep SKILL.md as a concise overview with quick-start patterns and clear pointers to detailed docs.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose and padded with information Claude already knows. The bulk of the content is a taxonomy of security concepts (OWASP Top 10, JWT, CSRF, etc.) that Claude is already deeply familiar with. Lists like 'Behavioral Traits', 'Knowledge Base', and 'Capabilities' describe general security knowledge rather than providing new, actionable instructions. The 'Example Interactions' section lists prompts rather than providing useful examples. | 1 / 3 |
Actionability | No concrete code, commands, or executable examples anywhere in the skill. The entire content is abstract descriptions and categorized lists of security topics. Statements like 'Implement input validation with comprehensive sanitization and allowlist approaches' are vague directions, not actionable guidance. There are zero code snippets, zero specific implementation patterns, and zero copy-paste-ready solutions. | 1 / 3 |
Workflow Clarity | The 'Response Approach' section lists 9 high-level steps but they are abstract and lack any validation checkpoints, error recovery, or concrete sequencing. For a skill dealing with security implementations (which are inherently risky operations), there are no verification steps, no testing workflows, and no feedback loops. | 1 / 3 |
Progressive Disclosure | There is one reference to an external file ('resources/implementation-playbook.md') which suggests some progressive disclosure intent. However, the main content is a monolithic wall of categorized lists that could be dramatically shortened or split into separate reference files. The structure uses headers but the content under each is just bullet-point descriptions rather than actionable overviews. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata.version' is missing | Warning |
Total | 10 / 11 Passed | |
Reviewed
Table of Contents